[Bug 64437] New: Renegotiation issue when using mod_proxy and OpenSSL 1.1.1

Thu, 14 May 2020 02:25:25 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=64437

            Bug ID: 64437
           Summary: Renegotiation issue when using mod_proxy and OpenSSL
                    1.1.1
           Product: Apache httpd-2
           Version: 2.4.37
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

We ran into an issue with renegotiation when using mod_proxy and OpenSSL 1.1.1. 

The proxy engine re-acts incorrectly by trying to re-connect the backend server
upon initiated renegotiation, finally resulting in "AH01997: SSL handshake
failed: sending 502".

Although the issue occurs with a self-compiled httpd binary (based on 2.4.43)
and with proprietary server software, we are able to reproduce the issue on
CentoOS 8.

We use following virtual host configuration, e.g. placed into
/etc/httpd/conf.d/sclient.conf. Note that /etc/httpd/conf/httpd.conf and
/etc/httpd/conf.d/ssl.conf have not been changed.

--------
<VirtualHost *:443>

  ServerName sserver

  LogLevel trace7

  SSLEngine on
  SSLProxyEngine on
  SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
  SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
  SSLHonorCipherOrder On
  SSLCertificateFile /etc/pki/tls/certs/localhost.crt
  SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

  <Location />
    ProxyPass https://sserver:10016/
    ProxyPassReverse https://sserver:10016/
  </Location>

</VirtualHost>
--------

As backend server we use openssl s_server with the "-www" option, known to
trigger renegotiation when requesting the resource /reneg.

openssl s_server -port 10016 -www -tls1_2 -cert sserver.pem

When requesting https://sserver:10016/reneg (directly) with firefox, s_server
shows a status page - thus renegotiation works correctly.

However, when requesting https://sserver:443/reneg (mod_proxy gets involved)
the status 502 is delivered by httpd. The error_log shows following

[Wed May 13 13:08:35.055113 2020] [proxy_http:trace3] [pid 21557:tid
139722668078848] mod_proxy_http.c(1403): [client 127.0.0.1:52862] Status from
backend: 200
[Wed May 13 13:08:35.055123 2020] [proxy_http:trace4] [pid 21557:tid
139722668078848] mod_proxy_http.c(1053): [client 127.0.0.1:52862] Headers
received from backend:
[Wed May 13 13:08:35.055142 2020] [ssl:trace4] [pid 21557:tid 139722668078848]
ssl_engine_io.c(2230): [remote 127.0.0.1:10016] OpenSSL: I/O error, 5 bytes
expected to read on BIO#7f13bc0454f0 [mem: 7f13bc05daa3]
[Wed May 13 13:08:35.055147 2020] [ssl:trace3] [pid 21557:tid 139722668078848]
ssl_engine_kernel.c(2231): [remote 127.0.0.1:10016] OpenSSL: Exit: error in
SSLv3/TLS write client hello
[Wed May 13 13:08:35.055152 2020] [ssl:info] [pid 21557:tid 139722668078848]
[remote 127.0.0.1:10016] AH02003: SSL Proxy connect failed
[Wed May 13 13:08:35.055160 2020] [ssl:info] [pid 21557:tid 139722668078848]
[remote 127.0.0.1:10016] AH01998: Connection closed to child 0 with abortive
shutdown (server sclient:443)
[Wed May 13 13:08:35.055210 2020] [ssl:info] [pid 21557:tid 139722668078848]
[remote 127.0.0.1:10016] AH01997: SSL handshake failed: sending 502

The logs show that headers can be received from the backend, but then httpd
erroneously tries to connect again.

In the following some version information about the system used for
reproduction:

[root@localhost ~]# cat /etc/centos-release
CentOS Linux release 8.1.1911 (Core)

[root@localhost ~]# /usr/sbin/httpd -V
Server version: Apache/2.4.37 (centos)
Server built:   Dec 23 2019 20:45:34
Server's Module Magic Number: 20120211:83
Server loaded:  APR 1.6.3, APR-UTIL 1.6.1
Compiled using: APR 1.6.3, APR-UTIL 1.6.1
Architecture:   64-bit
Server MPM:     event
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/httpd"
 -D SUEXEC_BIN="/usr/sbin/suexec"
 -D DEFAULT_PIDLOG="run/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

[root@localhost ~]# yum info httpd
Name         : httpd
Version      : 2.4.37
Release      : 16.module_el8.1.0+256+ae790463
Architecture : x86_64
Size         : 5.4 M
Source       : httpd-2.4.37-16.module_el8.1.0+256+ae790463.src.rpm

[root@localhost ~]# yum info mod_ssl
Name         : mod_ssl
Epoch        : 1
Version      : 2.4.37
Release      : 16.module_el8.1.0+256+ae790463
Architecture : x86_64
Size         : 308 k
Source       : httpd-2.4.37-16.module_el8.1.0+256+ae790463.src.rpm

[root@localhost ~]# yum info openssl
Name         : openssl
Epoch        : 1
Version      : 1.1.1c
Release      : 2.el8_1.1
Architecture : x86_64
Size         : 1.2 M
Source       : openssl-1.1.1c-2.el8_1.1.src.rpm

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to